security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-06-08 23:37:47 +02:00
Code Activity

gpg: Do not require a trustdb with --always-trust.

Browse Source 
* g10/tdbio.c (tdbio_set_dbname): Add arg R_NOFILE.
* g10/trustdb.c (trustdb_args): Add field no_trustdb.
(init_trustdb): Set that field.
(revalidation_mark):  Take care of a nonexistent trustdb file.
(read_trust_options): Ditto.
(get_ownertrust): Ditto.
(get_min_ownertrust): Ditto.
(update_ownertrust): Ditto.
(update_min_ownertrust): Ditto.
(clear_ownertrusts): Ditto.
(cache_disabled_value): Ditto.
(check_trustdb_stale): Ditto.
(get_validity): Ditto.
* g10/gpg.c (main): Do not create a trustdb with most commands for
trust-model always.
--

This slightly changes the semantics of most commands in that they
won't create a trustdb if --trust-model=always is used.  It just does
not make sense to create a trustdb if there is no need for it.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 1a0eeaacd1)

Resolved conflicts:
	g10/gpg.c
	g10/tdbio.h
	g10/trustdb.c
 (indentation fixes)
This commit is contained in:
Werner Koch 2013-10-11 09:25:58 +02:00
parent 0a10f1f91e
commit 2528178e7e
5 changed files with 131 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@ -1,6 +1,8 @@
Noteworthy changes in version 1.4.16 (unreleased)
-------------------------------------------------
* Do not create a trustdb file if --trust-model=always is used.
Noteworthy changes in version 1.4.15 (2013-10-04)
-------------------------------------------------

8
g10/gpg.c
View File

@ -3318,14 +3318,12 @@ main (int argc, char **argv )
case aFixTrustDB:
case aExportOwnerTrust: rc = setup_trustdb( 0, trustdb_name ); break;
case aListTrustDB: rc = setup_trustdb( argc? 1:0, trustdb_name ); break;
case aEncr:
case aEncrFiles:
/* No need to create the trust model if we are using the
default:
/* No need to create the trust model if we are using the
* always trust model. */
rc = setup_trustdb (opt.trust_model != TM_ALWAYS, trustdb_name);
break;
default: rc = setup_trustdb(1, trustdb_name ); break;
}
}
if( rc )
log_error(_("failed to initialize the TrustDB: %s\n"), g10_errstr(rc));

8
g10/tdbio.c
View File

@ -471,7 +471,7 @@ create_version_record (void)
int
tdbio_set_dbname( const char *new_dbname, int create )
tdbio_set_dbname( const char *new_dbname, int create, int *r_nofile)
{
char *fname;
static int initialized = 0;
@ -481,6 +481,8 @@ tdbio_set_dbname( const char *new_dbname, int create )
initialized = 1;
}
*r_nofile = 0;
if(new_dbname==NULL)
fname=make_filename(opt.homedir,"trustdb" EXTSEP_S "gpg", NULL);
else if (*new_dbname != DIRSEP_C )
@ -499,7 +501,9 @@ tdbio_set_dbname( const char *new_dbname, int create )
xfree(fname);
return G10ERR_TRUSTDB;
}
if( create ) {
if (!create)
*r_nofile = 1;
else {
FILE *fp;
TRUSTREC rec;
int rc;

2
g10/tdbio.h
View File

@ -90,7 +90,7 @@ typedef struct trust_record TRUSTREC;
/*-- tdbio.c --*/
int tdbio_update_version_record(void);
int tdbio_set_dbname( const char *new_dbname, int create );
int tdbio_set_dbname( const char *new_dbname, int create, int *r_nofile);
const char *tdbio_get_dbname(void);
void tdbio_dump_record( TRUSTREC *rec, FILE *fp );
int tdbio_read_record( ulong recnum, TRUSTREC *rec, int expected );

204
g10/trustdb.c
View File

@ -48,7 +48,7 @@
/*
* A structure to store key identification as well as some stuff needed
* for validation
* for validation
*/
struct key_item {
struct key_item *next;
@ -64,7 +64,7 @@ typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */
/*
* Structure to keep track of keys, this is used as an array wherre
* the item right after the last one has a keyblock set to NULL.
* the item right after the last one has a keyblock set to NULL.
* Maybe we can drop this thing and replace it by key_item
*/
struct key_array {
@ -77,6 +77,7 @@ static struct {
int init;
int level;
char *dbname;
int no_trustdb; /* Set if a trustdb file is not available. */
} trustdb_args;
/* some globals */
@ -96,7 +97,7 @@ static struct key_item *
new_key_item (void)
{
struct key_item *k;
k = xmalloc_clear (sizeof *k);
return k;
}
@ -118,11 +119,11 @@ release_key_items (struct key_item *k)
* For fast keylook up we need a hash table. Each byte of a KeyIDs
* should be distributed equally over the 256 possible values (except
* for v3 keyIDs but we consider them as not important here). So we
* can just use 10 bits to index a table of 1024 key items.
* can just use 10 bits to index a table of 1024 key items.
* Possible optimization: Don not use key_items but other hash_table when the
* duplicates lists gets too large.
* duplicates lists gets too large.
*/
static KeyHashTable
static KeyHashTable
new_key_hash_table (void)
{
struct key_item **tbl;
@ -143,7 +144,7 @@ release_key_hash_table (KeyHashTable tbl)
xfree (tbl);
}
/*
/*
* Returns: True if the keyID is in the given hash table
*/
static int
@ -168,7 +169,7 @@ add_key_hash_table (KeyHashTable tbl, u32 *kid)
for (k = tbl[(kid[1] & 0x03ff)]; k; k = k->next)
if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
return; /* already in table */
kk = new_key_item ();
kk->kid[0] = kid[0];
kk->kid[1] = kid[1];
@ -238,7 +239,7 @@ add_utk (u32 *kid)
{
struct key_item *k;
for (k = utk_list; k; k = k->next)
for (k = utk_list; k; k = k->next)
{
if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
{
@ -273,15 +274,15 @@ verify_own_keys(void)
return;
/* scan the trustdb to find all ultimately trusted keys */
for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
{
if ( rec.rectype == RECTYPE_TRUST
if ( rec.rectype == RECTYPE_TRUST
&& (rec.r.trust.ownertrust & TRUST_MASK) == TRUST_ULTIMATE)
{
byte *fpr = rec.r.trust.fingerprint;
int fprlen;
u32 kid[2];
/* Problem: We do only use fingerprints in the trustdb but
* we need the keyID here to indetify the key; we can only
* use that ugly hack to distinguish between 16 and 20
@ -297,9 +298,9 @@ verify_own_keys(void)
}
/* Put any --trusted-key keys into the trustdb */
for (k = user_utk_list; k; k = k->next)
for (k = user_utk_list; k; k = k->next)
{
if ( add_utk (k->kid) )
if ( add_utk (k->kid) )
{ /* not yet in trustDB as ultimately trusted */
PKT_public_key pk;
@ -445,7 +446,7 @@ init_trustdb()
if(level==0 || level==1)
{
int rc = tdbio_set_dbname( dbname, !!level );
int rc = tdbio_set_dbname (dbname, !!level, &trustdb_args.no_trustdb);
if( rc )
log_fatal("can't init trustdb: %s\n", g10_errstr(rc) );
}
@ -496,7 +497,7 @@ init_trustdb()
static int
trust_letter (unsigned int value)
{
switch( (value & TRUST_MASK) )
switch( (value & TRUST_MASK) )
{
case TRUST_UNKNOWN: return '-';
case TRUST_EXPIRED: return 'e';
@ -545,7 +546,7 @@ uid_trust_string_fixed(PKT_public_key *key,PKT_user_id *uid)
const char *
trust_value_to_string (unsigned int value)
{
switch( (value & TRUST_MASK) )
switch( (value & TRUST_MASK) )
{
case TRUST_UNKNOWN: return _("unknown");
case TRUST_EXPIRED: return _("expired");
@ -614,7 +615,7 @@ check_trustdb ()
/*
* Recreate the WoT.
* Recreate the WoT.
*/
void
update_trustdb()
@ -631,6 +632,9 @@ void
revalidation_mark (void)
{
init_trustdb();
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
return;
/* we simply set the time for the next check to 1 (far back in 1970)
* so that a --update-trustdb will be scheduled */
if (tdbio_write_nextcheck (1))
@ -666,8 +670,10 @@ read_trust_options(byte *trust_model,ulong *created,ulong *nextcheck,
TRUSTREC opts;
init_trustdb();
read_record(0,&opts,RECTYPE_VER);
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
memset (&opts, 0, sizeof opts);
else
read_record(0,&opts,RECTYPE_VER);
if(trust_model)
*trust_model=opts.r.ver.trust_model;
@ -689,29 +695,29 @@ read_trust_options(byte *trust_model,ulong *created,ulong *nextcheck,
*********** Ownertrust et al. ****************
***********************************************/
static int
static int
read_trust_record (PKT_public_key *pk, TRUSTREC *rec)
{
int rc;
init_trustdb();
rc = tdbio_search_trust_bypk (pk, rec);
if (rc == -1)
return -1; /* no record yet */
if (rc)
if (rc)
{
log_error ("trustdb: searching trust record failed: %s\n",
g10_errstr (rc));
return rc;
return rc;
}
if (rec->rectype != RECTYPE_TRUST)
{
log_error ("trustdb: record %lu is not a trust record\n",
rec->recnum);
return G10ERR_TRUSTDB;
}
return G10ERR_TRUSTDB;
}
return 0;
}
@ -719,16 +725,19 @@ read_trust_record (PKT_public_key *pk, TRUSTREC *rec)
* Return the assigned ownertrust value for the given public key.
* The key should be the primary key.
*/
unsigned int
unsigned int
get_ownertrust ( PKT_public_key *pk)
{
TRUSTREC rec;
int rc;
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
return TRUST_UNKNOWN;
rc = read_trust_record (pk, &rec);
if (rc == -1)
return TRUST_UNKNOWN; /* no record yet */
if (rc)
if (rc)
{
tdbio_invalid ();
return rc; /* actually never reached */
@ -737,16 +746,19 @@ get_ownertrust ( PKT_public_key *pk)
return rec.r.trust.ownertrust;
}
unsigned int
unsigned int
get_min_ownertrust (PKT_public_key *pk)
{
TRUSTREC rec;
int rc;
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
return TRUST_UNKNOWN;
rc = read_trust_record (pk, &rec);
if (rc == -1)
return TRUST_UNKNOWN; /* no record yet */
if (rc)
if (rc)
{
tdbio_invalid ();
return rc; /* actually never reached */
@ -809,7 +821,10 @@ update_ownertrust (PKT_public_key *pk, unsigned int new_trust )
{
TRUSTREC rec;
int rc;
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
return;
rc = read_trust_record (pk, &rec);
if (!rc)
{
@ -841,7 +856,7 @@ update_ownertrust (PKT_public_key *pk, unsigned int new_trust )
do_sync ();
rc = 0;
}
else
else
{
tdbio_invalid ();
}
@ -854,6 +869,9 @@ update_min_ownertrust (u32 *kid, unsigned int new_trust )
TRUSTREC rec;
int rc;
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
return;
pk = xmalloc_clear (sizeof *pk);
rc = get_pubkey (pk, kid);
if (rc)
@ -895,7 +913,7 @@ update_min_ownertrust (u32 *kid, unsigned int new_trust )
do_sync ();
rc = 0;
}
else
else
{
tdbio_invalid ();
}
@ -908,7 +926,10 @@ clear_ownertrusts (PKT_public_key *pk)
{
TRUSTREC rec;
int rc;
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
return 0;
rc = read_trust_record (pk, &rec);
if (!rc)
{
@ -936,8 +957,8 @@ clear_ownertrusts (PKT_public_key *pk)
return 0;
}
/*
* Note: Caller has to do a sync
/*
* Note: Caller has to do a sync
*/
static void
update_validity (PKT_public_key *pk, PKT_user_id *uid,
@ -956,7 +977,7 @@ update_validity (PKT_public_key *pk, PKT_user_id *uid,
return;
}
if (rc == -1) /* no record yet - create a new one */
{
{
size_t dummy;
rc = 0;
@ -1011,6 +1032,8 @@ cache_disabled_value(PKT_public_key *pk)
return (pk->is_disabled==2);
init_trustdb();
if (trustdb_args.no_trustdb)
return 0; /* No trustdb => not disabled. */
rc = read_trust_record (pk, &trec);
if (rc && rc != -1)
@ -1020,10 +1043,10 @@ cache_disabled_value(PKT_public_key *pk)
}
if (rc == -1) /* no record found, so assume not disabled */
goto leave;
if(trec.r.trust.ownertrust & TRUST_FLAG_DISABLED)
disabled=1;
/* Cache it for later so we don't need to look at the trustdb every
time */
if(disabled)
@ -1041,6 +1064,9 @@ check_trustdb_stale(void)
static int did_nextcheck=0;
init_trustdb ();
if (trustdb_args.no_trustdb)
return; /* No trustdb => can't be stale. */
if (!did_nextcheck
&& (opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC))
{
@ -1051,7 +1077,7 @@ check_trustdb_stale(void)
if ((scheduled && scheduled <= make_timestamp ())
|| pending_check_trustdb)
{
if (opt.no_auto_check_trustdb)
if (opt.no_auto_check_trustdb)
{
pending_check_trustdb = 1;
log_info (_("please do a --check-trustdb\n"));
@ -1068,7 +1094,7 @@ check_trustdb_stale(void)
/*
* Return the validity information for PK. If the namehash is not
* NULL, the validity of the corresponsing user ID is returned,
* otherwise, a reasonable value for the entire key is returned.
* otherwise, a reasonable value for the entire key is returned.
*/
unsigned int
get_validity (PKT_public_key *pk, PKT_user_id *uid)
@ -1084,6 +1110,14 @@ get_validity (PKT_public_key *pk, PKT_user_id *uid)
namehash_from_uid(uid);
init_trustdb ();
/* If we have no trustdb (which also means it has not been created)
and the trust-model is always, we don't know the validity -
return immediately. If we won't do that the tdbio code would try
to open the trustdb and run into a fatal error. */
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
return TRUST_UNKNOWN;
check_trustdb_stale();
keyid_from_pk (pk, kid);
@ -1097,7 +1131,7 @@ get_validity (PKT_public_key *pk, PKT_user_id *uid)
log_error ("error getting main key %s of subkey %s: %s\n",
tempkeystr, keystr(kid), g10_errstr(rc));
xfree(tempkeystr);
validity = TRUST_UNKNOWN;
validity = TRUST_UNKNOWN;
goto leave;
}
}
@ -1120,7 +1154,7 @@ get_validity (PKT_public_key *pk, PKT_user_id *uid)
}
if (rc == -1) /* no record found */
{
validity = TRUST_UNKNOWN;
validity = TRUST_UNKNOWN;
goto leave;
}
@ -1153,7 +1187,7 @@ get_validity (PKT_public_key *pk, PKT_user_id *uid)
recno = vrec.r.valid.next;
}
if ( (trec.r.trust.ownertrust & TRUST_FLAG_DISABLED) )
{
validity |= TRUST_FLAG_DISABLED;
@ -1172,7 +1206,7 @@ get_validity (PKT_public_key *pk, PKT_user_id *uid)
* I initially designed it that way */
if (main_pk->has_expired || pk->has_expired)
validity = (validity & ~TRUST_MASK) | TRUST_EXPIRED;
if (pending_check_trustdb)
validity |= TRUST_FLAG_PENDING_CHECK;
@ -1307,7 +1341,7 @@ ask_ownertrust (u32 *kid,int minimum)
keystr(kid), g10_errstr(rc) );
return TRUST_UNKNOWN;
}
if(opt.force_ownertrust)
{
log_info("force trust for key %s to %s\n",
@ -1380,7 +1414,7 @@ dump_key_array (int depth, struct key_array *keys)
}
}
}
}
}
static void
@ -1403,7 +1437,7 @@ store_validation_status (int depth, KBNODE keyblock, KeyHashTable stored)
status = TRUST_UNDEFINED;
else
status = 0;
if (status)
{
update_validity (keyblock->pkt->pkt.public_key,
@ -1418,7 +1452,7 @@ store_validation_status (int depth, KBNODE keyblock, KeyHashTable stored)
if (any)
do_sync ();
}
}
/*
* check whether the signature sig is in the klist k
@ -1450,7 +1484,7 @@ mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
{
KBNODE node;
PKT_signature *sig;
/* first check all signatures */
for (node=uidnode->next; node; node = node->next)
{
@ -1483,7 +1517,7 @@ mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
continue;
}
node->flag |= 1<<9;
}
}
/* reset the remaining flags */
for (; node; node = node->next)
node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12);
@ -1531,7 +1565,7 @@ mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
older: if signode was older then we don't want to take n
as signode is nonrevocable. If n was older then we're
automatically fine. */
if(((IS_UID_SIG(signode->pkt->pkt.signature) &&
!signode->pkt->pkt.signature->flags.revocable &&
(signode->pkt->pkt.signature->expiredate==0 ||
@ -1547,7 +1581,7 @@ mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
n was older then we don't want to take signode as n is
nonrevocable. If signode was older then we're
automatically fine. */
if((!(IS_UID_SIG(signode->pkt->pkt.signature) &&
!signode->pkt->pkt.signature->flags.revocable &&
(signode->pkt->pkt.signature->expiredate==0 ||
@ -1578,7 +1612,7 @@ mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
sig = signode->pkt->pkt.signature;
if (IS_UID_SIG (sig))
{ /* this seems to be a usable one which is not revoked.
{ /* this seems to be a usable one which is not revoked.
* Just need to check whether there is an expiration time,
* We do the expired certification after finding a suitable
* certification, the assumption is that a signator does not
@ -1587,7 +1621,7 @@ mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
* different expiration time */
const byte *p;
u32 expire;
p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_SIG_EXPIRE, NULL );
expire = p? sig->timestamp + buffer_to_u32(p) : 0;
@ -1674,7 +1708,7 @@ clean_sigs_from_uid(KBNODE keyblock,KBNODE uidnode,int noisy,int self_only)
delete_kbnode(node);
deleted++;
}
return deleted;
}
@ -1931,7 +1965,7 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
{
if (uid->help_full_count >= opt.completes_needed
|| uid->help_marginal_count >= opt.marginals_needed )
uidnode->flag |= 4;
uidnode->flag |= 4;
else if (uid->help_full_count || uid->help_marginal_count)
uidnode->flag |= 2;
uidnode->flag |= 1;
@ -1946,7 +1980,7 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
issigned = 0;
get_validity_counts(pk,uid);
mark_usable_uid_certs (kb, uidnode, main_kid, klist,
mark_usable_uid_certs (kb, uidnode, main_kid, klist,
curtime, next_expire);
}
else if (node->pkt->pkttype == PKT_SIGNATURE
@ -1954,7 +1988,7 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
{
/* Note that we are only seeing unrevoked sigs here */
PKT_signature *sig = node->pkt->pkt.signature;
kr = is_in_klist (klist, sig);
/* If the trust_regexp does not match, it's as if the sig
did not exist. This is safe for non-trust sigs as well
@ -2047,7 +2081,7 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
{
if (uid->help_full_count >= opt.completes_needed
|| uid->help_marginal_count >= opt.marginals_needed )
uidnode->flag |= 4;
uidnode->flag |= 4;
else if (uid->help_full_count || uid->help_marginal_count)
uidnode->flag |= 2;
uidnode->flag |= 1;
@ -2070,7 +2104,7 @@ search_skipfnc (void *opaque, u32 *kid, PKT_user_id *dummy)
* kllist. The caller has to pass keydb handle so that we don't use
* to create our own. Returns either a key_array or NULL in case of
* an error. No results found are indicated by an empty array.
* Caller hast to release the returned array.
* Caller hast to release the returned array.
*/
static struct key_array *
validate_key_list (KEYDB_HANDLE hd, KeyHashTable full_trust,
@ -2081,11 +2115,11 @@ validate_key_list (KEYDB_HANDLE hd, KeyHashTable full_trust,
size_t nkeys, maxkeys;
int rc;
KEYDB_SEARCH_DESC desc;
maxkeys = 1000;
keys = xmalloc ((maxkeys+1) * sizeof *keys);
nkeys = 0;
rc = keydb_search_reset (hd);
if (rc)
{
@ -2110,21 +2144,21 @@ validate_key_list (KEYDB_HANDLE hd, KeyHashTable full_trust,
xfree (keys);
return NULL;
}
desc.mode = KEYDB_SEARCH_MODE_NEXT; /* change mode */
do
{
PKT_public_key *pk;
rc = keydb_get_keyblock (hd, &keyblock);
if (rc)
if (rc)
{
log_error ("keydb_get_keyblock failed: %s\n", g10_errstr(rc));
xfree (keys);
return NULL;
}
if ( keyblock->pkt->pkttype != PKT_PUBLIC_KEY)
if ( keyblock->pkt->pkttype != PKT_PUBLIC_KEY)
{
log_debug ("ooops: invalid pkttype %d encountered\n",
keyblock->pkt->pkttype);
@ -2134,7 +2168,7 @@ validate_key_list (KEYDB_HANDLE hd, KeyHashTable full_trust,
}
/* prepare the keyblock for further processing */
merge_keys_and_selfsig (keyblock);
merge_keys_and_selfsig (keyblock);
clear_kbnode_flags (keyblock);
pk = keyblock->pkt->pkt.public_key;
if (pk->has_expired || pk->is_revoked)
@ -2171,9 +2205,9 @@ validate_key_list (KEYDB_HANDLE hd, KeyHashTable full_trust,
release_kbnode (keyblock);
keyblock = NULL;
}
}
while ( !(rc = keydb_search (hd, &desc, 1)) );
if (rc && rc != -1)
if (rc && rc != -1)
{
log_error ("keydb_search_next failed: %s\n", g10_errstr(rc));
xfree (keys);
@ -2182,7 +2216,7 @@ validate_key_list (KEYDB_HANDLE hd, KeyHashTable full_trust,
keys[nkeys].keyblock = NULL;
return keys;
}
}
/* Caller must sync */
static void
@ -2192,7 +2226,7 @@ reset_trust_records(void)
ulong recnum;
int count = 0, nreset = 0;
for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
{
if(rec.rectype==RECTYPE_TRUST)
{
@ -2231,7 +2265,7 @@ reset_trust_records(void)
* Step 2: loop max_cert_times
* Step 3: if OWNERTRUST of any key in klist is undefined
* ask user to assign ownertrust
* Step 4: Loop over all keys in the keyDB which are not marked seen
* Step 4: Loop over all keys in the keyDB which are not marked seen
* Step 5: if key is revoked or expired
* mark key as seen
* continue loop at Step 4
@ -2243,7 +2277,7 @@ reset_trust_records(void)
* End Loop
* Step 8: Build a new klist from all fully trusted keys from step 6
* End Loop
* Ready
* Ready
*
*/
static int
@ -2313,7 +2347,7 @@ validate_keys (int interactive)
if ( pk->expiredate && pk->expiredate >= start_time
&& pk->expiredate < next_expire)
next_expire = pk->expiredate;
release_kbnode (keyblock);
do_sync ();
}
@ -2389,7 +2423,7 @@ validate_keys (int interactive)
/* Find all keys which are signed by a key in kdlist */
keys = validate_key_list (kdb, full_trust, klist,
start_time, &next_expire);
if (!keys)
if (!keys)
{
log_error ("validate_key_list failed\n");
rc = G10ERR_GENERAL;
@ -2407,9 +2441,9 @@ validate_keys (int interactive)
store_validation_status (depth, kar->keyblock, stored);
log_info (_("depth: %d valid: %3d signed: %3d"
" trust: %d-, %dq, %dn, %dm, %df, %du\n"),
" trust: %d-, %dq, %dn, %dm, %df, %du\n"),
depth, valids, key_count, ot_unknown, ot_undefined,
ot_never, ot_marginal, ot_full, ot_ultimate );
ot_never, ot_marginal, ot_full, ot_ultimate );
/* Build a new kdlist from all fully valid keys in KEYS */
if (klist != utk_list)
@ -2471,10 +2505,10 @@ validate_keys (int interactive)
if (!rc && !quit) /* mark trustDB as checked */
{
if (next_expire == 0xffffffff || next_expire < start_time )
tdbio_write_nextcheck (0);
tdbio_write_nextcheck (0);
else
{
tdbio_write_nextcheck (next_expire);
tdbio_write_nextcheck (next_expire);
log_info (_("next trustdb check due at %s\n"),
strtimestamp (next_expire));
}